From 4d448d096325f5f62b49c13d1139f70ee2fe94ab Mon Sep 17 00:00:00 2001 From: Antonio Aversa Date: Mon, 16 Dec 2024 09:42:42 +0100 Subject: [PATCH] SQSCANGHA-76 Support self-hosted runners not clearing truststore after run --- .github/workflows/qa-main.yml | 33 +++++++++++++++++++++++++++++--- scripts/run-sonar-scanner-cli.sh | 11 +++++++++-- 2 files changed, 39 insertions(+), 5 deletions(-) diff --git a/.github/workflows/qa-main.yml b/.github/workflows/qa-main.yml index 6427f00..bffe00d 100644 --- a/.github/workflows/qa-main.yml +++ b/.github/workflows/qa-main.yml @@ -619,9 +619,9 @@ jobs: - name: Assert failure of previous step if: steps.wrong_ssl_certificate.outcome == 'success' run: exit 1 - overridesScannerLocalFolderWhenPresent: + overridesScannerLocalFolderWhenPresent: # can happen in uncleaned self-hosted runners name: > - 'SCANNER_LOCAL_FOLDER' is overridden with warning when present + 'SCANNER_LOCAL_FOLDER' is cleaned with warning when present runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -653,4 +653,31 @@ jobs: run: | [ -d "$SCANNER_LOCAL_FOLDER" ] || exit 1 [ ! -f "$SCANNER_LOCAL_FOLDER/some_content.txt" ] || exit 1 - + overridesSonarSslFolderWhenPresent: # can happen in uncleaned self-hosted runners + name: > + 'SONAR_SSL_FOLDER' is cleaned with warning when present + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + - name: Create SONAR_SSL_FOLDER with truststore.p12 file in it + run: | + SONAR_SSL_FOLDER=~/.sonar/ssl + mkdir -p "$SONAR_SSL_FOLDER" + touch "$SONAR_SSL_FOLDER/truststore.p12" + # emit SONAR_SSL_FOLDER to be able to read it in the next steps + echo "SONAR_SSL_FOLDER=$SONAR_SSL_FOLDER" >> $GITHUB_ENV + - name: Assert truststore.p12 file exists + run: | + [ -f "$SONAR_SSL_FOLDER/truststore.p12" ] || exit 1 + - name: Run action + uses: ./ + env: + # NO_CACHE not needed, as SONAR_SSL_FOLDER is setup when the Sonar Scanner is run, not installed + SONAR_HOST_URL: http://not_actually_used + with: + args: -Dsonar.scanner.internal.dumpToFile=./output.properties + - name: Assert truststore.p12 doesn't exists anymore + run: | + [ ! -f "$SONAR_SSL_FOLDER/truststore.p12" ] || exit 1 diff --git a/scripts/run-sonar-scanner-cli.sh b/scripts/run-sonar-scanner-cli.sh index 14caadc..9e9ed7a 100755 --- a/scripts/run-sonar-scanner-cli.sh +++ b/scripts/run-sonar-scanner-cli.sh @@ -21,6 +21,13 @@ if [[ -n "${INPUT_PROJECTBASEDIR}" ]]; then scanner_args+=("-Dsonar.projectBaseDir=${INPUT_PROJECTBASEDIR}") fi +# The SSL folder may exist on an uncleaned self-hosted runner +SONAR_SSL_FOLDER=~/.sonar/ssl +if [ -d "$SONAR_SSL_FOLDER" ]; then + echo "::warning title=SonarScanner::Cleaning existing SSL folder: $SONAR_SSL_FOLDER" + rm -rf "$SONAR_SSL_FOLDER" +fi + if [[ -n "${SONAR_ROOT_CERT}" ]]; then echo "Adding SSL certificate to the Scanner truststore" rm -f $RUNNER_TEMP/tmpcert.pem @@ -28,8 +35,8 @@ if [[ -n "${SONAR_ROOT_CERT}" ]]; then # Use keytool for now, as SonarQube 10.6 and below doesn't support openssl generated keystores # keytool require a password > 6 characters, so we wan't use the default password 'sonar' store_pass=changeit - mkdir -p ~/.sonar/ssl - $SONAR_SCANNER_JRE/bin/java sun.security.tools.keytool.Main -storetype PKCS12 -keystore ~/.sonar/ssl/truststore.p12 -storepass $store_pass -noprompt -trustcacerts -importcert -alias sonar -file $RUNNER_TEMP/tmpcert.pem + mkdir -p "$SONAR_SSL_FOLDER" + $SONAR_SCANNER_JRE/bin/java sun.security.tools.keytool.Main -storetype PKCS12 -keystore $SONAR_SSL_FOLDER/truststore.p12 -storepass $store_pass -noprompt -trustcacerts -importcert -alias sonar -file $RUNNER_TEMP/tmpcert.pem scanner_args+=("-Dsonar.scanner.truststorePassword=$store_pass") fi